It isn't that System Apps actively bypass the VPN tunnel, but they can if they want to, on-demand [0]. That is, System Apps retain the ability to bind to any network interface. Whether they do so, is anyone's guess.
For installed apps, there's no such respite, iff one enables 'Block connections without VPN' (the VPN lockdown mode) on Android 10+ (but NetGuard doesn't support it). This means in the times when NetGuard crashes or restarts (which it does on network changes, for example, or even on screen-off/screen-on, from what I recall), there's a chance the traffic flows through underlying interfaces rather than the tunnel (because the tunnel simply doesn't exist in the interim).
Datura (ebpf based) on CalyxOS and AfWall+ on any rooted Android can block out everything it pleases, though.
I don't mean to downplay NetGuard, because the codebase has evolved in response to years of addressing flaky networks, flawed apps, buggy Android forks. Marcel, the lead developer, has put his life's work into it and gave it away for free. The app I co-develop is, in fact, inspired from his efforts.
I see, thank you for explaining! Good to know that rooting your phone still has some benefits. I wouldn't have thought that there's such an easy bypass for system apps, but I suppose it makes sense for some modem/carrier apps to specify an interface.
I absolutely love Netguard even though I don't really use a firewall in practice (I was sort of hoping a permanent VPN with some "real" traffic meddling would be enough to block most violations of my privacy). It's the one rootless firewall that actually just works on practically any device you can think of, among a sea of broken/scammy firewalls that fail all kinds of edge cases.
> It's the one rootless firewall that actually just works on practically any device you can think of, among a sea of broken/scammy firewalls that fail all kinds of edge cases.
For installed apps, there's no such respite, iff one enables 'Block connections without VPN' (the VPN lockdown mode) on Android 10+ (but NetGuard doesn't support it). This means in the times when NetGuard crashes or restarts (which it does on network changes, for example, or even on screen-off/screen-on, from what I recall), there's a chance the traffic flows through underlying interfaces rather than the tunnel (because the tunnel simply doesn't exist in the interim).
Datura (ebpf based) on CalyxOS and AfWall+ on any rooted Android can block out everything it pleases, though.
I don't mean to downplay NetGuard, because the codebase has evolved in response to years of addressing flaky networks, flawed apps, buggy Android forks. Marcel, the lead developer, has put his life's work into it and gave it away for free. The app I co-develop is, in fact, inspired from his efforts.
[0] https://github.com/celzero/rethink-app/issues/224